Category: Cyber-physical risk · Reviewed by Chrissie Anderson, Client Executive · Last reviewed 2026-06-10
Wearable insurance refers to insurance products in which a wrist-worn or body-worn device — typically a smartwatch or fitness band — supplies activity, heart rate, sleep and other physiological data used in engagement, rewards or, more cautiously, pricing.
Wearable insurance is closely related to but narrower than connected health insurance: the focus here is on the device, its data, and the UK GDPR analysis applicable to its use. The Vitality Apple Watch programme is the leading UK example.
Definition
A wearable insurance product typically:
Provides the customer access to a wearable device — either at retail price, at a subsidised price, or, in the most developed model, at a monthly cost that can be “earned down” through activity;
Collects activity points and physiological metrics under explicit consent;
Translates points into rewards, status tiers or premium variations; and
Is offered as an opt-in benefit alongside a base PMI, Life or protection product.
Devices include Apple Watch, Fitbit (Google), Garmin, Polar, Whoop, Oura ring, Samsung Galaxy Watch and bespoke insurer-branded devices.
Legal / Regulatory basis
The UK data protection framework dominates:
UK GDPR Article 5 — purpose limitation, data minimisation, accuracy, storage limitation.
UK GDPR Article 6 — lawful basis (consent / contract).
UK GDPR Article 9 — special category data (health). Lawful only on an Article 9 condition; for wearables, explicit consent under Article 9(2)(a) is the typical basis. Schedule 1, Part 1 paragraph 7 (DPA 2018) provides a limited “insurance” condition for some processing purposes but does not blanket-authorise wearable data processing.
UK GDPR Article 22 — automated decision-making. Where a wearable’s data drives an automated premium change, additional safeguards apply, including the right to human intervention.
UK GDPR Article 25 — data protection by design and by default.
UK GDPR Article 35 — DPIA, mandatory for large-scale special category processing.
Data Protection Act 2018, Schedule 1 conditions for processing special category and criminal offence data.
Data (Use and Access) Act 2025 (subject to enactment / as enacted) — reforms to the UK data protection regime, including changes to Article 22 ADM safeguards and to research processing. Insurers should review their wearable programmes after commencement of the relevant provisions.
ICO, Wearables, Health sector and AI Auditing Framework guidance.
MHRA Software as a Medical Device guidance — where the device or its companion app performs medical functions.
EU comparators include EDPB Guidelines on consent (05/2020) and on data subject rights.
How it works in practice
The Vitality Apple Watch programme is the prototype:
Eligibility — customer must hold an eligible Vitality policy.
Device acquisition — customer pays an initial activation fee and a monthly amount of approximately £10 over 24 months for the device.
Activity earnings — by reaching 160 or 240 activity points per month (depending on plan), the monthly £10 charge is waived.
Data collection — Apple Health data is shared with Vitality under explicit consent; only the points and required metrics are processed by Vitality.
Status and rewards — Bronze, Silver, Gold, Platinum tiers unlock rewards and, in Life products, premium variation.
Customer controls — withdrawal of consent and deletion of activity history.
A UK GDPR Article 35 DPIA is conducted before launch; the design includes data minimisation (Vitality does not receive raw heart rate streams in the basic programme); ADM safeguards apply.
Common variations / Subsequent developments
Vitality Active Rewards — the main UK example; covers Apple Watch and other devices.
John Hancock Vitality (US comparator) — moved its US Life book to a Vitality-style model in 2018.
Whoop and Oura partnerships — emerging in protection and wellness.
Insurer-branded devices — including some early Garmin partnerships.
Mental health and sleep apps — extension into broader wellness data.
Data (Use and Access) Act 2025 — changes to ADM safeguards; insurers should update privacy notices, DPIAs and Article 22 controls.
The MHRA’s evolving stance on Software as a Medical Device affects products that interpret physiological data for clinical purposes; insurers must ensure their wearable programme designs do not inadvertently bring them within the medical device perimeter.
Example
A UK customer enrolls in the Vitality Active Rewards Apple Watch programme alongside their £45/month PMI policy. They pay £39 upfront and £10/month for a Series 10 Apple Watch over 24 months. In months where they reach 240 activity points (verified by Apple Health), the £10 charge is waived. In months they do not, the charge is applied. Over two years, they earn the watch with negligible net outlay and accumulate Platinum status, unlocking renewal credits and partner rewards. All processing is on explicit Article 9 UK GDPR consent; the Vitality DPIA documents data minimisation; the customer can withdraw consent at any time.
MHRA, Software and AI as a Medical Device guidance (2023–2024).
IAIS, Application Paper on Cyber Risk Underwriting (2020).
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-10. Next review: 2026-12-10.
Apex Insurance Brokers Limited. Authorised and regulated by the Financial Conduct Authority, FRN 724952. Registered in England and Wales, Companies House 07014570. This entry provides general information about UK insurance concepts and is not regulated advice. Consult your insurance broker on your specific position.
Our service promise. We acknowledge every quote request the same working day. For straightforward risks, indicative terms typically follow within five working days. Complex risks — higher-risk buildings, cladding, mid-term proposals requiring fresh underwriting — may take longer; we’ll send you a progress note by the end of the fifth working day in those cases.